Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

Introduction

Out Of Band Unlock PBA is a new feature in EEPC v7. It is one of the three new Out Of Band management features that are available if you have Intel vPro hardware and McAfee Deep Command in place. The idea of Unlock PBA is to securely authenticate in the pre-boot environment without requiring end user interaction. It is important to know that using this action does not "bypass" the pre-boot authentication. Instead, it authenticates using McAfee Deep Command and then retrieves a key from the ePO server. That key is used to authenticate and unlock the PBA. At this point, administrators can interact with the system just as they did before it was encrypted. The systems management roadblocks typically associated with full disk encryption pre-boot environments are eliminated.

 

There are three primary benefits to this approach and each is discussed below.

Location Aware Pre-Boot

Shared systems pose a problem for pre-boot environments. In large organizations, it simply isn't technically feasible to provision all users to shared systems. This is a problem that we see in hospitals where hundreds of nurses may use the same computer on a rotating basis. It is also a challenge for shared workstations (e.g. call center environment), or loaner laptops. In these situations, it would be nice to simply eliminate pre-boot authentication. While this is possible, it is not a secure solution. If the system was ever lost or stolen, a non-authorized person would simply have to power on the system in order to get access to the OS.

 

EEPC Out Of Band Unlock PBA solves this problem. It enables a workflow whereby a system does not require pre-boot authentication unless it is removed from the internal network. When the system is configured this way, the EEPC pre-boot environment will always attempt to establish a network connection with the ePO server when it boots. If it is able to establish a connection, it will then retrieve a key from ePO. This key will be used to authenticate in the pre-boot environment (thus eliminating the need for an end user to authenticate). Since all communication is encrypted and because the session requires authentication, this method of key delivery is secure.

 

One important thing to note is that the check box to require Client Initiated Local Access (CILA) only, must be enabled in order for this approach to be secure. If this box is unchecked, then the Out Of Band Unlock PBA functionality will continue to work even if the system is not connecting via the internal network.

unlock pba 001.png

Wake and Patch

Without Out Of Band Unlock PBA, administrators cannot wake up encrypted systems and manage them. They might be able to power them on using traditional methods like Wake on LAN, but after the system powered on it would be stuck at the pre-boot authentication screen. Without a user present at the system to enter credentials, the remote administrator simply could not proceed. McAfee offers a utility to aid in this situation but it only works if the utility is run on the system prior to it being shutdown. Out Of Band Unlock PBA is a solution that works on all Intel vPro systems, without the need to do any sort of preparation. You can simply select the systems in the System Tree and tell them to power on and securely boot into the OS without a user being present.

 

The administrator has the option to do this based on a schedule, or for a specified number of reboots. The screenshot below shows a policy set to Unlock PBA during a two hour window.

unlock pba 002.png

 

First Time User

The task of provisioning a user account to function in the pre-boot environment can be a challenge. This is especially true when machines are being initially imaged or when they are being re-imaged. It is also a challenge in circumstances where a system is shared or handed from one user to another. Today, the only way for that new user to get into the system is to call the helpdesk and do the challenge/response recovery procedure. This works well, but it is time consuming. EEPC Out Of Band Unlock PBA provides a much faster solution because it eliminates the need to do the challenge/response. With this in place, administrators can create a workflow where the pre-boot authentication is always enabled and ad-hoc user access to be accomplished with a brief helpdesk call. This is preferable to the common practice of temporarily disabling pre-boot authentication because it keeps the system secure while only creating a negligible amount administrative overhead.

 

To accommodate a first time user, you simply set the "number of times" field to one. This will create an action in the Out Of Band work queue. If the user is currently stuck at the pre-boot login screen, you should advise them to reboot their PC or wait up to five minutes. At that point, the EEPC pre-boot environment will initiate a network connection to ePO. It will then find the unlock action in the work queue. This action will send a key to the system and that key will be used to authenticate to the pre-boot environment and boot the system into Windows. Once this is done, the user will automatically be provisioned to the pre-boot environment after the McAfee Agent synchronizes with ePO (assuming that the Add Local Domain Users policy option is enabled in the EEPC Product Settings policy).

unlock pba 003.png

 

 

Workflow

  1. Administrator selects system(s) in System Tree
  2. Actions > Endpoint Encryption > Out Of Band Unlock PBA
  3. Administrator chooses which kind of unlock action they wish to perform
  4. McAfee ePO writes the action to the Out Of Band Work Queue
    1. Location Aware Pre-Boot is established as a persistent action, meaning that it will remain in the work queue until deleted by an administrator
    2. Wake and Patch, and First Time User actions are established as transient actions, meaning that they will run as configured and then be automatically removed from the work queue when complete
  5. The EEPC pre-boot environment will attempt to establish a secure connection with ePO
    1. Location Aware Pre-Boot will only establish the connection and process the work queue if the system is on the internal network (i.e. connecting via CILA rather than CIRA).
    2. Wake and Patch, and First Time User actions will be processed for systems on the internal network and those connecting via the internet because we did not limit the connections to just CILA.
  6. McAfee ePO delivers a key to the EEPC pre-boot environment. Note that this takes up to 30 seconds after boot, so the user will tempoarirly see the pre-boot authentication screen.
  7. EEPC uses this key to authenticate to the pre-boot environment
  8. The Windows OS loads

 

 

Demo Video

 

 

 

Other Resources

EEPC v7.0 FAQ - Integration with Intel AMT for Out of Band Management